• OCR Begins Pilot Program to Conduct Privacy and Security Audits Mandated by HITECH Act
  • November 15, 2011 | Authors: J. Austin A. Broussard; Robert M. Keenan
  • Law Firm: King & Spalding LLP - Atlanta Office
  • On November 8, 2011, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it will begin implementing the requirement outlined by Section 13411 of the HITECH Act, which mandates that HHS conduct periodic audits to ensure that covered entities and their business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  OCR plans to conduct a pilot program to audit up to 150 covered entities between November 2011 and December 2012.  Audits of business associates will commence after the conclusion of the pilot program.

    In order to assess HIPAA compliance efforts and identify risks and best practices not otherwise identified through its compliance investigations, OCR will begin auditing a range of covered entities beginning this month.  OCR describes the audits as “compliance improvement activities” that will be used to better understand entities’ compliance efforts with regard to particular aspects of the HIPAA rules.

    OCR will select the covered entities to be audited and inform them of the audit in writing.  Entities selected for audit will be required to provide documentation of their privacy and security efforts within ten business days of a request.  During the pilot program, OCR site visits will be mandatory and may include interviews of personnel and observation of compliance processes.  OCR will notify the entity between thirty and ninety days prior to the scheduled site visit.  Depending on the size and complexity of the entity, site visits will last between three and ten business days.

    Following the site visit, the OCR auditor will issue a draft report to the entity, and the entity will have ten business days to review and comment on the report.  At this time, the entity must also address corrective actions that will be taken in response to the auditor’s findings.  Within thirty days of receiving the entity’s comments, the auditor must finalize the report.  OCR will use these finalized reports to determine what types of technical assistance OCR should develop in the future and which corrective actions are most effective.  Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem.  However, OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.